CVE-2026-27016

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 24.10.0 through 26.1.1 are vulnerable to Stored XSS via the unit parameter in Custom OID. The Custom OID functionality lacks strip_tags() sanitization while other fields (name, oid, datatype) are sanitized. The unsanitized value is stored in the database and rendered without HTML escaping. This issue is fixed in version 26.2.0.

Vulnerability Details

Published Date

February 18, 2026

Last Modified

February 20, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

composer

Product

librenms/librenms

External References

https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g
https://github.com/librenms/librenms/pull/19040
https://github.com/librenms/librenms/commit/3bea263e02441690c01dea7fa3fe6ffec94af335
https://github.com/librenms/librenms/releases/tag/26.2.0
https://github.com/advisories/GHSA-fqx6-693c-f55g

CVE-2026-27016

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment